Hi, We mistakely only try to go back to the SSL handshake when not able to send early data if we're acting as a client, that is wrong, and leads to an infinite loop if it happens on the server side. The attached patch should fix this.
Regards, Olivier
>From 2c011f4bfa515495c47c2495510ee01b199d4a26 Mon Sep 17 00:00:00 2001 From: Olivier Houchard <[email protected]> Date: Wed, 22 Nov 2017 17:38:37 +0100 Subject: [PATCH] BUG/MINOR: ssl: Always start the handshake if we can't send early data. The current code only tries to do the handshake in case we can't send early data if we're acting as a client, which is wrong, it has to be done on the server side too, or we end up in an infinite loop. --- src/ssl_sock.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d1977960c..b8793fce6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5514,10 +5514,8 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl if (try + conn->tmp_early_data > max_early) { try -= (try + conn->tmp_early_data) - max_early; if (try <= 0) { - if (objt_server(conn->target)) { - conn->flags &= ~CO_FL_EARLY_SSL_HS; - conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; - } + conn->flags &= ~CO_FL_EARLY_SSL_HS; + conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; break; } } -- 2.14.3
